FBI accused of planting backdoor in OpenBSD IPSEC stack

A former OpenBSD contributor claims that the FBI paid open source developers …

In an e-mail sent to BSD project leader Theo de Raadt, former NETSEC CTO Gregory Perry has claimed that NETSEC developers helped the FBI plant "a number of backdoors" in the OpenBSD cryptographic framework approximately a decade ago.

Perry says that his nondisclosure agreement with the FBI has expired, allowing him to finally bring the issue to the attention of OpenBSD developers. Perry also suggests that knowledge of the FBI's backdoors played a role in DARPA's decision to withdraw millions of dollars of grant funding from OpenBSD in 2003.

"I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI," wrote Perry. "This is also probably the reason why you lost your DARPA funding, they more than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same."

The e-mail became public when de Raadt forwarded it to the OpenBSD mailing list on Tuesday, with the intention of encouraging concerned parties to conduct code audits. To avoid entanglement in the alleged conspiracy, de Raadt says that he won't be pursuing the matter himself. Several developers have begun the process of auditing the OpenBSD IPSEC stack in order to determine if Perry's claims are true.

"It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack," de Raadt wrote. "Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are."

OpenBSD developers often characterize security as one of the project's highest priorities, citing their thorough code review practices and proactive auditing process as key factors that contribute to the platform's reputedly superior security. If Perry's allegations prove true, the presence of FBI backdoors that have gone undetected for a decade would be a major embarrassment for OpenBSD.

The prospect of a federal government agency paying open source developers to inject surveillance-friendly holes in operating systems is also deeply troubling. It's possible that similar backdoors could potentially exist on other software platforms. It's still too early to know if the claims are true, but the OpenBSD community is determined to find out if they are.

113 Reader Comments

" One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it..

It would seem likely that the FBI or some other organization could pay Microsoft or other proprietary vendors to plant backdoors. What you lose with closed-source is the ability for anyone with the skill to audit the code.

Various parties have long speculated that there are backdoors into Windows, but unless the source gets leaked, we'll never know. I'd still trust the security of OpenBSD over Windows any day.

For those who manage or contribute to open source projects: just how often are real, sit down and go over the code line by line security audits performed? How long would it take to do this for an entire network stack? And was it done in this case looking for subtle issues that would open a key? I don't know the answer to these questions and I'd really like to understand because it IS a fundamental tenant of open source software.

Is it true that all open source OS's use the OpenBSD network stack or a fork thereof, and MacOS X, as it is BSD-based? Wouldn't that place an backdoor on every goverment or not computer using that OS? Given that the code is open source wouldn't be possible for any intelligence agency in the world to track those backdoors and use them?

" One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it..

It would seem likely that the FBI or some other organization could pay Microsoft or other proprietary vendors to plant backdoors. What you lose with closed-source is the ability for anyone with the skill to audit the code.

Various parties have long speculated that there are backdoors into Windows, but unless the source gets leaked, we'll never know. I'd still trust the security of OpenBSD over Windows any day.

Except for one point...as so often pointed out during other discussions, Windows is easily the most heavily scrutinized software project the world has ever seen. Black, blue and white hats look over the functioning of the system, particularly the security system, looking for hacks on a continual basis. Microsoft DOES provide source access (with stringent legal requirements) to companies and governments exactly so they CAN trust the system by doing their own audit. There are simply far, FAR too many people looking at Windows for this to even be a reasonable argument.

I seem to remember at least one article about the DOJ working with Microsoft to "confirm security standards..." during the development of Windows 7. It would be nice to know if that led to backdoors in Win7.

Anyhow, this is almost certainly all BS. As stated in the mail thread: OpenBSD doesn't accept crypto patches from Americans or anyone currently living in the US. They're too afraid of running afoul of us crypto export laws. So in effect, the FBI would have had to hire foreign nationals to insert these back doors, and then hoped and prayed they could figure out how to enforce NDAs.

Also, IIRC, classified information is not subject to the usual contractual NDAs. If the FBI did this, it would be classified/secret/top-secret, not merely NDA, and therefore he just committed treason, unless someone in the US government declassified this info (why would the *EVER* do that. They're not even declassifying the stuff published by wikileaks, and that's public knowledge. Double-think is real.)

Hrmmm, NDA actually makes the most sense. Combine all that above together, what is the FBI to do since [theoretically] outside US jurisdiction classified doesn't carry legal weight. So the FBI sets up a front company in another country, so they have legal standing there. They fund the company. Then this company makes a contractual agreement with citizen of that country.

" One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it..

It would seem likely that the FBI or some other organization could pay Microsoft or other proprietary vendors to plant backdoors. What you lose with closed-source is the ability for anyone with the skill to audit the code.

Various parties have long speculated that there are backdoors into Windows, but unless the source gets leaked, we'll never know. I'd still trust the security of OpenBSD over Windows any day.

Why do they have to pay the whole of MS surly they could just bribe one developer to add a backdoor, it would probaly be cheaper although less likly to work.

" One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it..

It would seem likely that the FBI or some other organization could pay Microsoft or other proprietary vendors to plant backdoors. What you lose with closed-source is the ability for anyone with the skill to audit the code.

Various parties have long speculated that there are backdoors into Windows, but unless the source gets leaked, we'll never know. I'd still trust the security of OpenBSD over Windows any day.

Why do they have to pay the whole of MS surly they could just bribe one developer to add a backdoor, it would probaly be cheaper although less likly to work.

This.

And if MS was in collusion with the government, what proof is there that the source code they provide for review is the source code used to compile the end product? Do they let the vendors compile Windows themselves? I have my doubts.

For those who manage or contribute to open source projects: just how often are real, sit down and go over the code line by line security audits performed? How long would it take to do this for an entire network stack? And was it done in this case looking for subtle issues that would open a key? I don't know the answer to these questions and I'd really like to understand because it IS a fundamental tenant of open source software.

Patches are almost always individually pretty small and gone over in detail by the person in charge of that subsystem before being committed. The only way to slip something in would be to have the maintainer be the one to take the bribe. Full scale code reviews are pretty rare for most products, but you also do have a lot of people just randomly looking at the code to find a bug or for their own enrichment. For a backdoor to stay in a system like this for ten years undetected it would have to be incredibly subtle and clever, and be very lucky.

I see four or more open source IPsec stacks listed on wikipedia. I bet the authors of each looked at others, and would have noticed any backdoors. Then there are thousands of students who read the RFCs then look at an implementation.

And if MS was in collusion with the government, what proof is there that the source code they provide for review is the source code used to compile the end product? Do they let the vendors compile Windows themselves? I have my doubts.

Few users compile the source for their favorite Linux or BSD. Fewer still go through the entirety of the source.

Most people use the downloaded executable. Now who is to say that this is identical to the downloaded source? Do you check it? I certainly don't.

Few users compile the source for their favorite Linux or BSD. Fewer still go through the entirety of the source.

Most people use the downloaded executable. Now who is to say that this is identical to the downloaded source? Do you check it? I certainly don't.

There are automated nightly builds for most projects that would be really hard to compromise, and a lot of people do build from source. Not everyone certainly, but enough people that it would get noticed if something was wrong with the official builds.

For those who manage or contribute to open source projects: just how often are real, sit down and go over the code line by line security audits performed? How long would it take to do this for an entire network stack? And was it done in this case looking for subtle issues that would open a key? I don't know the answer to these questions and I'd really like to understand because it IS a fundamental tenant of open source software.

As Xavin mentioned, contributions are generally audited in-line for well-structured, well-managed OSS projects. For instance, in the Linux kernel, large, invasive commits are generally frowned upon unless there's very solid justification, and even when they're necessary, they tend to get a lot more attention and review. Your typical contribution patch also goes up a pretty well-structured chain-of-command, where specific subsystem maintainers are the first line of review before it goes to the lkml at large.

Furthermore, although this isn't always publicised, it's not at all unheard of for organizations using an OSS stack to actually sit down and audit (or pay some experts to audit) the entire stack. The availability of public, automated review services (i.e. Coverity) also helps. How thorough/effective such audits are is debatable and will obviously depend largely on the size and complexity of the source code.

I do know, from past subscription to the @full-disclosure mailing list, that vulnerabilities are often uncovered specifically as a result of such third-party audits. I don't know how often this is the case, though, and with not everybody detailing the audit trail leading to vuln discovery, it's pretty hard to determine the full extent of such activity.

So am I the only one here who believes that the FBI should be able to conduct surveillance?

Not by putting the rest of us at risk.

I believe the FBI keeps us safer.

I think you're confused, Polecat. The FBI has the ability to investigate and conduct surveillance, and there are lots of ways it can do this, from the incredible powers they are given from the Patriot Act to the wiretapping laws that have mandated that digital telecommunications equipment (read: pretty much everything currently used) must have a port through which the FBI can monitor communications. All of this must be done in accordance with US law and a court-issued warrant, where applicable. All of this surveillance has judicial oversight, as it should under the US Constitution. (To be clear I mean "should" to mean "according to law" not "what I think is the right way to do things.")

What this backdoor allows the FBI to do is surreptitiously monitor communications without a warrant or outside the boundaries of the law. Additionally, and I believe this point is the most important issue here, this backdoor allows the FBI to tap the communications of everyone using this software, not merely the subject of an investigation.

Since the FBI is not a foreign intelligence agency and is a domestic federal law enforcement agency, they should almost always be required to have a search warrant to monitor communications. They aren't an intelligence gathering organization. Warrants are very powerful to the point where the FBI need not have the technical ability to access the information. They only need to demand it from someone who does have the ability to get it.

I don't think you'll find many people objecting to the FBI fighting crime and using every lawful means in their possession to do it. But this this backdoor is equivalent to the FBI putting a special peephole into every house in the US built using certain materials without a warrant. Now, the FBI may not be looking at any given time, but they can and I'm sure they would. If you think that's OK, well, you don't really understand the protections of the US Constitution, and I'd be scared to death to live under your conception of freedom.

If history teaches us anything, it's that the FBI can't be trusted to not abuse the powers they're given, let alone the powers they create for themselves without oversight.

The great thing about open source programs is that you can audit the source. But if no one audits the source code and just assumes someone else has, then you potentially have situations such as this.

There are audits, and audits. If you're auditing for stack overflows and suchlike, you may easily overlook a few extra microseconds inserted to signal that the key bit was a 1 instead of a 0. Things that you know you should be looking for are, if present, sometimes quite obvious, while things that are not expected *and* have been designed to be subtle may not be noticed.

If the back doors exist, I am confident they will be found, and probably quickly. The domino effect may cause some major patches in every OS still alive today, however.

" One of the basic tenets of open source software is that it is inherently safer than proprietary software because of the transparency and so many people looking at it..

It would seem likely that the FBI or some other organization could pay Microsoft or other proprietary vendors to plant backdoors. What you lose with closed-source is the ability for anyone with the skill to audit the code.

Various parties have long speculated that there are backdoors into Windows, but unless the source gets leaked, we'll never know. I'd still trust the security of OpenBSD over Windows any day.

I always hear this argument but makes little sense.. With closed source comes accountability. If anyone were to ever find out that MS planted back doors deep down in the OS code for the FBI, think of all the lawsuits that would occur..

Now with open source software like OpenBSD, who exactly is there to blame? Without accountability, code review/auditing can only do so much.

There are pro's and con's to both philosophies and neither is perfect..

I wonder if those back doors existed for long period of times or were just patched. I don't use this flavor of BSD but with review of code wouldn't they be seen and then just patched with the updates, with an explanation that they found this vulnerability and here is the patch? I would have thought though that these back doors would have raised a red flag.

The more striking thing to me would be the willful sabotage that was going on... That is the real problem as I see it.

While the dangers riskin mentions above are very real, we should keep in mind that there is no reason that the creators would be the only ones with access to the backdoor.

Details of a backdoor could be leaked - either by the developers or the people who worked with them to create it - and all of the sudden it's not just the FBI we have to trust anymore. And just because no public audits have found a backdoor doesn't mean that there's not another party out there that has not found it. Any backdoor becomes a critical point of failure of the security of the system. Either the system is as secure as was intended or it is not. If it is not, we're vulnerable and the identity of those who would take advantage of that vulnerability it is almost irrelevant.

Speaking in terms of real security, it doesn't strike me as likely that any backdoor, for any purpose, could have been secured to the point where just one secret key that opens the door.

Obviously, this applies to a real backdoor. Given the information mentioned above and in the article, I'm skeptical.

Is it true that all open source OS's use the OpenBSD network stack or a fork thereof, and MacOS X, as it is BSD-based?

MacOS X is based partly on FreeBSD, not OpenBSD. Some versions of Windows also use an IP stack based on FreeBSD, but that does not necessarily mean they used the IPSEC portion. I'm not sure how much code FreeBSD shared/shares with OpenBSD, but according to Wikipedia they do not share an IPSEC implementation:

Wouldn't that place an backdoor on every goverment or not computer using that OS?

Yes, the article mentions that Perry suggested that this is why DARPA dropped support of OpenBSD.

Quote:

Given that the code is open source wouldn't be possible for any intelligence agency in the world to track those backdoors and use them?

Yes, presumably they don't care if this opens others to spy on the people they are spying on. They also could have hoped that it was obfuscated enough that other intelligence agencies wouldn't spot it. Assuming that the accusation is true, the people working on the software didn't notice (and the OpenBSD community is known for being very paranoid about security, not that it is a bad thing to be paranoid about) so it was likely well hidden.

@Putrid Polecat: Yes... Well, you're among a vanishingly small minority. Especially when you consider that this is not about Americans whatsoever. The FBI has no right to do surveillance on (for example) Canadians talking to Britons: these communications do not go through the US, and do not involve the US.

...

But it is. Berkeley Standard Distribution. Berkeley, California. Made in the USA. There were encryption export regulations for years and these backdoors were not inconsistent with that export philosophy. Other countries are free to develop their own IPSEC implementations. Just sayin'.

The orignal BSD came from Berkley. It's descendants (FreeBSD, NetBSD, and yes, OpenBSD) are developed by individuals scattered around the world. IPSEC specifically is written by non-Americans, as that is the only way to ensure it's crypto code doesn't run afoul of US weapons export regulations.

I seem to remember at least one article about the DOJ working with Microsoft to "confirm security standards..." during the development of Windows 7. It would be nice to know if that led to backdoors in Win7.

Honestly? The frigging FSB has access to the Windows source, do you REALLY think they wouldnt be a tad irate if they found such a backdoor? Maybe? Perhaps?

I always hear this argument but makes little sense.. With closed source comes accountability. If anyone were to ever find out that MS planted back doors deep down in the OS code for the FBI, think of all the lawsuits that would occur..

What lawsuits?

Sure, plenty would be filed, but then they'd all be sealed for national security and dismissed by the government.

Do you not recall the big wiretapping lawsuit BS? The lawsuits got sealed and dismissed in the name of 'national security'.

Intelligent people will realize that Microsoft is no more immune to employees taking FBI bribes than open-source developers, and given the deployed base, the Microsoft bribes might be larger.

No, not really. Microsoft permits governments access to its source code, with auditing and tools to verify that compiled binaries match the code they audit. This is specifically to address the concerns that a US based company could be influenced by the US govenrment to implement such back doors.

I highly doubt that Russia and China would turn an intentional blind eye to such a back door for any US government agency, and vice versa.

I highly doubt that Russia and China would turn an intentional blind eye to such a back door for any US government agency, and vice versa.

Who said they turned a blind eye? You're suggesting that the entire OpenBSD IPSec team was paid off to ignore these backdoors?

I'm not referring to that type of situation at all..

If the backdoors are subtle information leaks, and the entire OpenBSD IPSec team didn't notice the problems, what makes you think that governments would notice similar problems in Windows?

In fact, if I recall, this is part of why China is building their own Linux distro, so that they can use all homegrown labor and be more sure of the source of the code.. so that instead of known 'backdoors' they only have unknown bugs.

reflex, if he is telling the truth, it is always possible we was bound by some other NDA. Perhaps a generic one he had to sign as CTO, but if he wasn't on the "backdoor group" he may never have been forced to sign anything more stringent (a screw up on the FBI's part I'm sure). Hell, he may be referring to rumors or paperwork that crossed his desk. If he is telling the truth that is. Just a guess and what not, but possible.

reflex, if he is telling the truth, it is always possible we was bound by some other NDA. Perhaps a generic one he had to sign as CTO, but if he wasn't on the "backdoor group" he may never have been forced to sign anything more stringent (a screw up on the FBI's part I'm sure). Hell, he may be referring to rumors or paperwork that crossed his desk. If he is telling the truth that is. Just a guess and what not, but possible.

You are basically saying that an intelligence operation so intricate and hidden that it went unnoticed for a decade in a project with thousands of global developers devoted to security as their number one priority, messed up its NDA's? Seriously?

This does not pass the smell test. And some of the people he named are turning out to have never had involvement or contributions to the code in question.

Who said they turned a blind eye? You're suggesting that the entire OpenBSD IPSec team was paid off to ignore these backdoors?

Where did I make that suggestion? I responded to the suggestion that Windows is somehow more vulnerable to manipulation like what is alleged by its closed source nature by pointing out that it is open source to those with the proper license, such as governments like China and Russia(as well as the US). Could such code be inserted? I doubt it, but anything is possible. But presumably China's auditors are not being any easier on the Windows code than they would be on OpenBSD or Linux code, so they would be just as vulnerable in either scenario.

Quote:

I'm not referring to that type of situation at all..

If the backdoors are subtle information leaks, and the entire OpenBSD IPSec team didn't notice the problems, what makes you think that governments would notice similar problems in Windows?

Exactly. The original implication was that it would be *easier* to put such a back door into Microsoft software due to its closed source nature. But while the exploit itself may be feasible, its detection would be no more or less likely by foreign governments as they *do* have access to the source.

Quote:

In fact, if I recall, this is part of why China is building their own Linux distro, so that they can use all homegrown labor and be more sure of the source of the code.. so that instead of known 'backdoors' they only have unknown bugs.

Exactly the opposite in fact. They are building thier own distro so they can spy on their citizens and more easily sanitize their internet access. Its not about securing thier government computers, in fact no Chinese military computer would ever run their version as it would have explicit vulnerabilities that could potentially be exploited by someone other than their own government security services.

I highly doubt that Russia and China would turn an intentional blind eye to such a back door for any US government agency, and vice versa.

Anyways...

reflex-croft wrote:

The original implication was that it would be *easier* to put such a back door into Microsoft software due to its closed source nature. But while the exploit itself may be feasible, its detection would be no more or less likely by foreign governments as they *do* have access to the source.

So, as I stated much higher in the thread, neither open nor closed source is immune to this, and neither has a terribly great advantage in being sure it's not there. More people are looking at the OpenBSD code, but I doubt the number of highly experienced cryptologist programmers looking at OpenBSD is any greater than the number looking at Windows.

Quote:

Exactly the opposite in fact. They are building thier own distro so they can spy on their citizens and more easily sanitize their internet access. Its not about securing thier government computers, in fact no Chinese military computer would ever run their version as it would have explicit vulnerabilities that could potentially be exploited by someone other than their own government security services.

Meh, if they insert them, and close the source to non-gov people.. they could easily compile with _BACKDOORS_ON_ or _BACKDOORS_OFF_.

Or maybe this guy is still in the employ of the FBI, and the FBI doesn't like OpenBSD because they can't crack its encryption, and they are finding more and more of their targets using OpenBSD. So why not plant a little FUD and send people scurrying away from the platform?

Or maybe *you* are in the employ of a group of open source zealots that are trying to put forth an "FBI hates BSD" conspiracy theory in order to plant a little FUD and send people scurrying to OpenBSD to defend its honor?

Ooo... The plot thickens!

Wait a minute, maybe *I* am in the employ of the FBI and...

Or maybe Ars is in the employ and this whole thing never actually happened. They are relying on no one here actually bothering to find out if it's true, just like no apparently bothered to audit the code (we all just assume someone else is doing the checking). I mean ask yourself--did you really check the validity of this story or did you just....trust them?